CLAIMS 

We claim: 

1 1 . A stealth firewall comprising: 

2 a first network interface to an external network; 

3 a second network interface to an internal network; 

4 a packet filter for restricting access to said internal network, said packet filter not 

5 responding to said external network upon receiving requests from said external network 

6 to access said internal network; and, 

7© a state machine pre-configured to transition across a plurality of internal states, from 

8*2 a restricting state to an access state, conditioned upon receiving a plurality of requests to 

9* access said internal network, said plurality of requests collectively comprising a code for 

10m causing said state machine to transition from said restricting state to said access state 

1 tip which causes said packet filter to permit access to said internal network. 

W 

iO 2. The stealth firewall of claim 1, wherein said requests from said external network 

2 comprise transport control protocol (TCP) SYN messages. 

1 3. The stealth firewall of claim 2, wherein each state in said state machine corresponds 

2 to data in a specified field of said TCP SYN messages. 

1 4. The stealth firewall of claim 3, wherein said specified field comprises a destination 

2 port field. 
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1 5. The stealth firewall of claim 1 , wherein said code is a rolling code which can vary 

2 according to time. 



1 6. The stealth firewall of claim 2, wherein said packet filter can permit access to a 

2 specific port in said internal network based upon a destination port specified in a TCP SYN 

3 message received after transitioning to said access state in said state machine. 



1 w 7. A method for permitting access to a network protected behind a stealth firewall 

2 ¥ comprising the steps of: 

3 J initializing a state machine configured to grant access to the stealth firewall 
4[i contingent upon said state machine transitioning across a plurality of internal states 

5 o responsive to receiving a plurality of requests to access the network from a single network 

P? 

6UJ device, said plurality of requests collectively comprising a code for causing said state 

7p machine to permit access to the network; 

8 receiving an access request from a network device in a network which is external 

9 to the network protected behind the stealth firewall, identifying an access parameter in said 

10 access request and transitioning from an initial state in said state machine to an 

1 1 intermediate state if said identified access request satisfies transitioning criteria associated 

12 with said state machine for transitioning from said initial state to said intermediate state; 

13 receiving a further access request from said network device in said network which 

14 is external to the network protected behind the stealth firewall, identifying a further access 
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15 parameter in said further access request and transitioning from an intermediate state in 

16 said state machine to a final state if said identified further access request satisfies 

17 transitioning criteria associated with said state machine for transitioning from an 

18 intermediate state to said final state; 

19 not providing a response to said network device upon receiving each said access 

20 request from said network device in said network which is external to the network protected 

21 behind the stealth firewall unless said network device provides a sequence of access 

22 requests to the stealth firewall causing said state machine to transition to said final state; 
23*2 anc ' J 

24^ upon transitioning to said final state, permitting said network device to access the 

25% network protected behind the stealth firewall. 



IP 



10 8. A method for permitting access to a network protected behind a stealth firewall 

2yj comprising the steps of: 

30 receiving a plurality of access requests from a plurality of network devices which are 

4 external to the network protected behind the stealth firewall; 

5 not providing a response to said plurality of network device upon receiving each of 

6 said access requests; 

7 identifying access request parameters in said received access requests; 

8 performing state transitions in a state machine in the stealth firewall based upon 

9 identifying particular ones of said identified access request parameters; and, 
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upon identifying a pre-determined sequence of access request parameters, said 
identification of said sequence of access request parameters causing a corresponding 
sequence of state transitions in the said machine, permitting access to a selected network 
device responsible for transmitting said sequence of access requests parameters. 

9. A method for permitting access to a network protected behind a stealth firewall 
comprising the steps of: 

configuring a state machine to grant access to the stealth firewall contingent upon 
said state machine transitioning through a plurality of states based upon a sequence of 
access request parameters identified in received access requests from a single network 
device; 

setting said sequence of access parameters to a specific set of access parameters; 

and, 

disposing said state machine in the stealth firewall. 

10. A stealth firewall comprising: 

a first network interface to an external network; 
a second network interface to an internal network; 

a packet filter for restricting access to said internal network, said packet filter 
ignoring requests from said external network to access said internal network; 

fixed storage in which at least one authentication password can be stored; 
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7 a hash processor configured to apply a hashing algorithm to said stored at least one 

8 authentication password; and, 

9 a comparator configured to compare a hashed password and timestamp received 

10 from said first network interface, with a hashed result produced by said hash processor for 

1 1 a stored password associated with a user at said first network interface, said comparator 

12 causing said packet filter to permit access to said internal network where said hashed 

13 password and timestamp matches said hashed result. 

10 11. A machine readable storage having stored thereon a computer program for 
2% permitting access to a network protected behind a stealth firewall, said computer program 
3j comprising a routine set of instructions for performing the steps of: 

4ft initializing a state machine configured to grant access to the stealth firewall 

50 contingent upon said state machine transitioning across a plurality of internal states 

6W responsive to receiving a plurality of requests to access the network from a single network 

7p device, said plurality of requests collectively comprising a code for causing said state 

8 machine to permit access to the network; 

9 receiving an access request from a network device in a network which is external 

10 to the network protected behind the stealth firewall, identifying an access parameter in said 

11 access request and transitioning from an initial state in said state machine to an 

1 2 intermediate state if said identified access request satisfies transitioning criteria associated 

13 with said state machine for transitioning from said initial state to said intermediate state; 
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14 receiving a further access request from said network device in said network which 

15 is external to the network protected behind the stealth firewall, identifying a further access 

16 parameter in said further access request and transitioning from an intermediate state in 

17 said state machine to a final state if said identified further access request satisfies 

18 transitioning criteria associated with said state machine for transitioning from an 

19 intermediate state to said final state; 

20 not providing a response to said network device upon receiving each said access 

21 request from said network device in said network which is external to the network protected 

22 2 behind the stealth firewall unless said network device provides a sequence of access 

23 % requests to the stealth firewall causing said state machine to transition to said final state; 

24 Ji and, 

25 m upon transitioning to said final state, permitting said network device to access the 

is 

260 network protected behind the stealth firewall. 

$ s i 

ass? 

l.w 12. A machine readable storage having stored thereon a computer program for 

2 permitting access to a network protected behind a stealth firewall, said computer program 

3 comprising a routine set of instructions for performing the steps of: 

4 receiving a plurality of access requests from a plurality of network devices which are 

5 external to the network protected behind the stealth firewall; 

6 not providing a response to said plurality of network device upon receiving each of 

7 said access requests; 

8 identifying access request parameters in said received access requests; 
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9 performing state transitions in a state machine in the stealth firewall based upon 

10 identifying particular ones of said identified access request parameters; and, 

11 upon identifying a pre-determined sequence of access request parameters, said 

12 identification of said sequence of access request parameters causing a corresponding 

1 3 sequence of state transitions in the said machine, permitting access to a selected network 

14 device responsible for transmitting said sequence of access requests parameters. 

1 13. A machine readable storage having stored thereon a computer program for 

2 % permitting access to a network protected behind a stealth firewall, said computer program 
3 1; comprising a routine set of instructions for performing the steps of: 

4 y3 configuring a state machine to grant access to the stealth firewall contingent upon 

i 

5 p said state machine transitioning through a plurality of states based upon a sequence of 
60 access request parameters identified in received access requests from a single network 
jf4 device; 

8ff setting said sequence of access parameters to a specific set of access parameters; 

9 and, 

10 disposing said state machine in the stealth firewall. 
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